stackoom
  简体   繁体   中英

Delete id from MySQL

 原文  2015-05-29 08:52:45       php/ mysql

Question

In MySQL I have a several users, when I want to delete an user I use the following code: 

<td><b><a href='.?control=directeur&action=verwijderGebruiker&id=".$leerling->getId()."'><img src='img/delete.png' /></a></b></td>

In my controller: 

 private function verwijderAction()
 {
       $this->model->verwijderGebruiker();
       $this->forward('default','directeur');
 }

And in my model: 

 public function verwijderGebruiker()
 {
   $id = filter_var($_REQUEST['id'], FILTER_VALIDATE_INT);

   if($id!=false)
   {
     $sql = 'DELETE FROM `contacten` WHERE `id`=:id';
     $stmnt = $this->db->prepare($sql); // bereid de query voor
     $stmnt->bindParam(':id',$id); // bindParam = verbindt de parameter: ":<parameter>" met de "<variable>".
     $stmnt->execute(); // voert de query uit
   } 
}

When I want to delete an ID it says the right thing in the URL (action=verwijderGebruiker&id=5) but it doesn't delete it, instead it goes back to the home page.

2 answers

solution1
 0  2015-05-29 08:57:48

your id never gets inside your method. you have to hand it over to your function as a parameter: 

public function verwijderGebruiker($id)
{
   $id = filter_var($id, FILTER_VALIDATE_INT);
   // ....
}

//call it outside your class with your request-variable:
$my_class = new MyClass();
$my_class->verwijderGebruiker($_REQUEST['id']);

solution2
 0  2015-05-29 09:38:32

Although you should check the value in $id before testing if it != false there are more fundamental issues: changing database values based on parameters you get from a URL could allow someone to keep trying different values on the url, and thereby change database values.

You may be removing records silently, or you may be doing nothing, depending on the value plugged into your URL by $leerling->getId()

I think $id probably has no value in it. The test is probably silently failing to say anything as it evaluates to false and no DB update can follow.

More importantly: the $id must be sent in a POST, not a GET request.

See: http://www.wikiwand.com/en/Hypertext_Transfer_Protocol#/Request_methods

using GET should only retrieve data and should have no other effect.

Otherwise the URL can be sent with lots of sequential IDs and records changed in your database, nightmare security fail!

Additionally, your test not only needs to ensure $id has a value, but that it is a DB record that can be deleted and to return a result, catching any faults.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Php Mysql DELETE From 2 Tables Using Id Delete Particular Id From Column using mysql PHP MySQL "DELETE FROM `table` WHERE `id` = | unknown column `id` How to delete a record from mysql which are having the given id how to delete id from MySQL Database using query Get delete id in controller to delete mysql record Delete ID From DB In MYSQL/PHP how would I delete from ID 1 and insert data to ID 5 Delete from MYSQL Table Delete Row From MySQL
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM